First page Back Continue Last page Overview Graphics

Small things worth noting

Lots of crypto
Subsequent requests are quicker
That was SP first - IdP first is also possible
That was Browser/POST - there's also Browser/Artefact
Use of SAML (but SAML isn't Shibboleth)
The WAYF can be provided by the SP

Notes:

The authentication assertion is signed to prevent tampering. The attribute query and attribute assertion travel over an SSL/TLS connection which allows both ends to be strongly authenticated.
The whole exchange can be quicker for subsequent authentications – WAYFs typically provide short cuts for accessing recent IdPs, Raven only requires one login per session, etc.
Other message sequences are possible to achieve the same thing – we described an SP-first flow, but it is also possible to have an IdP-first flow where the user visits the IdP first, authenticate, and only then contact the SP. Another possibility is to avoid the use of forms and JavaScript (the SAML Browser/POST profile) by redirecting the user back to the SP with a small random token called an artefact which the SP then uses to collect the full authentication assertion over SOAP. This is know as the SAML Browser/Artefact profile.
Note the reliance on SAML, but remember that Shibboleth is just one of many possible applications that use SAML.
The WAYF can be provided by the SP – this can result in a cleaner interface since the SP knows who its customers are (e.g. Science Direct)

Small things worth noting

Lots of crypto

Subsequent requests are quicker

That was SP first - IdP first is also possible

That was Browser/POST - there's also Browser/Artefact

Use of SAML (but SAML isn't Shibboleth)

The WAYF can be provided by the SP

Notes: